If you've written your first iRule, you've most likely used the log command to check your iRule logic or reflect the status of the connections running through it. Recent updates to the log command make it even more useful by providing direct support within iRules for selective remote syslogging.
Remote Log Server Support
In LTM 9.4.0, the log command was enhanced to provide the ability to send messages to a remote server. You can also optionally specify the remote port if you want messages to be sent to other than the default remote syslog port (514). If you specify a remote log server address, you must at least also specify the log facility.
This discretionary remote log server support is extremely useful if you want specific iRule activity logged to a remote location, but still want to retain your existing global syslog-ng configuration.
Rule Name Suppression
By default, every BIG-IP log message looks something like the sample below:
Apr 8 04:20:42 tmm tmm: 01220002:6: Rule : Log me, baby
The “-noname” option was added in LTM 9.4.2 to allow suppression of any "Rule : <rulename> <event>" string that may be prefixed to the message by LTM. Its intended use was for remote logging, but it works locally as well. If you include the "-noname" option, you must at least also specify the log facility.
Here is the recommended basic log command syntax for local logging to the default log level (specifying the facility ensures all activities will be logged as unique events. local0 is the default facility for LTM logging):
log local0. "Log me one time"
The resulting output looks like this:
Apr 8 04:20:42 tmm tmm: Rule : Log me one time
This example uses the "-noname" option to log locally while suppressing the "iRule :" string prefixing the message text.
log -noname local0. "I could not speak"
with this result:
Apr 8 04:20:42 tmm tmm: I could not speak
Use this syntax to specify a remote syslog server on the default port, facility & level:
log 192.168.0.1 local0. "Log me 2x, girl"
The message with the "Rule : " prefix will be sent to the remote server:
Rule : Log me 2x, girl
This syntax will log to the syslog service at 192.168.1.11 on port 5514, suppressing the "Rule : " prefix:
log -noname 192.168.0.1:5514 local0. "Log me all thru the week"
The message, this time without the "Rule : " prefix, will be sent to the remote server on the specified port:
Log me all thru the week
You can still specify the log level in addition to the facility as in previous versions:
log 192.168.0.1:514 local0.warning "Log me 2x"
and the message format remains unchanged (may be filtered differently though):
Rule : Log me 2x
And finally you can combine all 3 to send messages to a remote server on an alternate port, specifying a new log facility and level, and suppressing the iRule name output:
log -noname 192.168.0.1:5514 local3.warning "I'm goin' away"
This message will be sent to 192.168.0.1:5514 on local3.warning:
I'm goin' away
More on logging with iRules…
Full details of the “log” command can be found in the iRules wiki: https://devcentral.f5.com/wiki/default.aspx/iRules/log.html
Joe’s iRule Debugging article: iRules 101 #09 - Debugging
Need more extensive or global syslog configuration changes in LTM 9.4.2 & above? Check this: LTM 9.4.2+: Custom Syslog Configuration